N-Day Vulnerabilities Pose Major Threat to Android Users, Google Report Shows

Google's annual zero-day (0-day) vulnerability report for 2022 reveals a troubling trend for Android users. The tech giant warned about n-day vulnerabilities functioning as 0-days in the Android ecosystem, exposing users to a wide range of attacks.

Zero-day vulnerabilities are flaws that hackers learn about before the vendor becomes aware of them or releases a patch. However, n-days are publicly known vulnerabilities that may or may not have a patch. When the vendor learns of a bug, it transitions from a zero-day to an n-day, with 'n' referring to the number of days since the company became aware of it.

Even if a fix becomes available, unpatched devices remain open to attacks from threat actors, who can exploit the flaws using methods either publicly known or designed by themselves. This issue stems from so-called patch gaps, where device manufacturers roll out patches from vendors later than they should, leaving devices vulnerable in the meantime.

"These gaps between upstream vendors and downstream manufacturers allow n-days - vulnerabilities that are publicly known - to function as 0-days because no patch is readily available to the user and their only defense is to stop using the device," Google's report states. "While these gaps exist in most upstream/downstream relationships, they are more prevalent and longer in Android."

An example of this issue is the ARM Mali GPU bug. This Android flaw was reported in July 2022 by GitHub Security Lab researcher Man Yue Mo. The Android Security Team referred the issue to ARM instead, labeling it a "Won't Fix" situation due to its device-specific nature. ARM then released a new, patched driver version in October 2022.

However, it wasn't until November 2022 that Google's Threat Analysis Group (TAG) found the bug being exploited in the wild. Even though ARM had already released a patch, the complete fix for the vulnerability was rolled out on Android in April 2023. This was six months after ARM's patch release, nine months after the initial reporting, and five months after it was found being exploited in the wild.

In conclusion, Google's report highlights the complexities within the Android ecosystem, which results in delays between the discovery of a vulnerability, the release of a patch, and the patch's implementation by device manufacturers.